Create, Approve, Deny and Delete CSR in Kubernetes Cluster

  • Post author:
Use Case: Create a CertificateSigningRequest object with the name datalake with the contents of the datalake.csr file
Please note that an additional field called signerName should also be added when creating CSR. For client authentication to the API server we will use the built-in signer kubernetes.io/kube-apiserver-client.
Step1: Download the sample file from https://github.com/prashant-raghava/CSR
devopsbaba~ ➜ cat > datalake.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: myuser
spec:
   request: <CSR>
   signerName: kubernetes.io/kube-apiserver-client
   usages:
     - client auth
Step2: Update datalake.yaml and replace request section in file with datalake.csr. Before replacing we need to convert it to base64 format as shown below:
** Note: We did -w 0 to make it in a single line
devopsbaba~ ➜ cat datalake.csr | base64 -w 0
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZV3R6YUdGNU1JSUJJakFOQmdrcWhraUc5
dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQTB1M2hnQUYyd2xMYWRlZ1FFcnUwenFCMUxwWGFQbVlzT0t4NkZpMThzdDByCmdxaVRlbEhBakZkTC9tQlNqdlZETW
dqbW5hQjZ4MGZZaGxkdW41WEdFREtLdGh5RnB2Q3AzaG8rbVdqWkpqODcKYWxDSUJkUG40TXRmaW9ucW00a1FObVdpalhKOHdCQVBDY0c4cyt0OHB6dHI1ajFTS0JNZ
HZLTE5TcFZYUHEvNQpoQXJ6WWZZNm9pYkt1YWJ2b2dWejNHN0JhM3FxcENLOVFpc05WR0xEWXBQTVp3aE1TK0lYQmNBYjVLWWs5TWRNCjQvcmtvTENyUmdUOVAyR2
RJbWNLTCtZdXZvQXdHbkl6Mm1XSTBvend1ZlBYSGdQdnltcDdQSXlFU1hrVG9waDUKTUpEVnFqSlYxLy9BazZWZTRDUHRHcVpLNVRPZFFZUW1tZ2FMa2xLTEhRSURBUUF
Cb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBS3NnSUJBQ1VxMDFKNTNDdEJIaTF0RkxXaVZnNnpRdWFqVFpQeGx2QW9jb1dxS2pLUUR2CjRjSXlSV0k0QWpGUE
pXTEZ1TC9GbmxuTDlSK3pRemhuNHBWbHJRRVhhOXJkNVZLZEp4SkVCdVVSNDZJOXpBakEKVmFWYTNIVVZvUnZQZ1poT21HbVlCOCt2MllIWWZ6MXF5b0NuV0k4REI1R
jZseWpBTVpwUnlLSlZOalpxZWVDRApDZnlsQXBackpsOTk3OEhTN0ZnTk5Va3VoNDB0Q3QvdklIRDRiUmplWVZ4ZEx2S2JQTkorUXZvbDNUcHBDVDZBCmppc09iL3NyVFhBK
zJGd1d5aUtvRDJqTjlqWGNMdGtCb3h4dkpYWFp1NmRFek1vRG15L3lBV2JvZ2pPNDVndUUKbXhJMjFPbXNnU1ZqelZtSkhJTkV5UWxJK2ptUXNyNllrcTg9Ci0tLS0tRU5EIENFU
lRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
New datalake.yaml will look like below:
 

Step3: Create certificate request
devopsbaba~ ➜ kubectl create -f datalake.yaml
certificatesigningrequest.certificates.k8s.io/datalake created
 
Step4: Verify the request
devopsbaba~ ➜ kubectl get csr
NAME         AGE       SIGNERNAME                                              REQUESTOR                        REQUESTEDDURATION       CONDITION
datalake      67s        kubernetes.io/kube-apiserver-client               kubernetes-admin                  <none>                                   Pending
csr-w424c   31m       kubernetes.io/kube-apiserver-client-kubelet  system:node:devopsbaba      <none>                                   Approved,Issued
Step5: Approve Certificate request:
devopsbaba~ kubectl certificate approve datalake
certificatesigningrequest.certificates.k8s.io/datalake approved
Step6: Check the CSR request available in the cluster
devopsbaba~ ➜ kubectl get csr
NAME            AGE        SIGNERNAME                                               REQUESTOR                          REQUESTEDDURATION            CONDITION
datalake         67s         kubernetes.io/kube-apiserver-client                kubernetes-admin                    <none>                                        Approved
csr-w424c      31m        kubernetes.io/kube-apiserver-client-kubelet   system:node:devopsbaba         <none>                                       Approved,Issued
Step7: Delete and deny the certificate request. Check the request
devopsbaba~ ➜ kubectl get csr agent-smith -o yaml
Step8: Deny the certificate request received by agent-X
devopsbaba~ ➜ kubectl certificate deny agent-X
certificatesigningrequest.certificates.k8s.io/agent-X denied
Step9: Delete CSR object
devopsbaba~ ➜ kubectl delete csr agent-X
certificatesigningrequest.certificates.k8s.io "agent-X" deleted
Tags: , ,

Leave a Reply